top of page

Graphical Passwords for Emergent Users

A Four-day Recall Comparative Study on PIN, Passfaces and Celebrities

Role

Research Assistant

Project Duration

3 Months

72f746181847559_edited.jpg

Introduction

001

The paper explores the usability of graphical passwords, particularly Passfaces for emergent users compared to PINs. It suggests that using familiar faces can enhance memorability & provides valuable insights into designing authentication mechanisms for this user group.

Key contributions of the paper include:

  • Proposing a lab-based method to compare password-setting techniques efficiently.

  • Reporting success rates for first-time usability and 4-day memorability.

  • Analyzing the popularity of celebrities in the Passfaces set and their impact on memorability.

  • Presenting an analysis of login attempts and success/failure percentages.

Background

002

  • Alphanumeric passwords are commonly used but have security concerns.

  • Weak passwords include names, dictionary words, and personal information-related numbers.

  • Alphanumeric passwords can be easily written down, making them vulnerable.

  • Logical attacks involve guessing passwords based on personal information like birthdates.

  • Shoulder surfing is a threat where attackers watch users entering passwords.

  • PIN-based passwords are popular on mobile devices but are prone to shoulder surfing and smudge attacks.

  • Randomising password entry interfaces can help but is often unpopular with users.

  • A study by Market et al. analysed 80,000 smartphone PINs and found many users choose weak and predictable ones.

  • Factors like age, gender, and device type influence PIN selection.

  • PIN guessing attacks can be highly successful, with over a 40% success rate in some cases.

  • Recommendations include using longer and more complex PINs and implementing measures to prevent brute-force attacks, such as limiting retry attempts.

  • In this study, a password length of 6 was considered to enhance complexity.

Study Design

003

The study aimed to assess the performance of emergent users using three password interaction methods: Passfaces with unknown faces, and Passfaces with celebrity faces (Celebrities), with PIN as a baseline. Due to the diverse background of emergent users, PINs were chosen as a familiar baseline. The password length was restricted to six digits.
 

  • PINs had a password space of 10^6 with guess-ability of 1/10^6.

  • Passfaces and Celebrities had a 4x4 grid (16 faces per page), resulting in a password space of 1.7 * 10^7, 17 times larger than PINs, with lower guess-ability.

  • Different sets of faces were offered for each digit in Passfaces and Celebrities, enhancing security.

  • Passwords were not masked, considering users' potential unfamiliarity with password entry.

  • Keypad layout was not randomised potential issues for emergent users, as it could affect PIN entry more than Passfaces and Celebrities.

Interfaces

004

We created three prototypes for comparing the three interaction techniques: PIN, Passfaces with unknown faces, and Celebrities (Passfaces with celebrity faces). Each prototype allowed participants to set up, confirm, and recall a password. They recorded the time for each task, participant input (selected passwords), and recall results, including errors, attempts, and wrong entries in a tabular format. The prototypes underwent iterations based on insights from a pilot test. Below, we present the final designs.

Pin Password

Screenshot 2023-10-09 at 8_edited.jpg

Passfaces Password with unknown faces

Screenshot 2023-10-09 at 8_edited.png

Passfaces Password with celebrity faces

da_edited.jpg

Method

005

We recruited 66 emergent users with less than 7 years of schooling, ensuring an equal gender balance and representing ages between 35 and 55. We also had an equal mix of smartphone and feature phone users.

Each participant took part in four sessions, with a gap of 4 to 5 days between sessions, totalling 12-13 days per participant. The order of the password tasks was varied to minimise learning effects. We used four identical smartphones to run the test prototypes.

In the first session, participants were briefed on the study, consented to participate, and received training on the first password mechanism. They set a password, confirmed it, and were given a 5-minute distraction task. Distraction tasks were designed to be similar to the password tasks.

Next, participants attempted to recall their password (Recall 1). If they couldn't recall it, they were allowed multiple attempts. Failure to recall was recorded. The first session ended here.

In the second session, participants did Recall 2 of the first password mechanism, set and confirmed a password for the second mechanism, did another distraction task, and then Recall 1 of the second mechanism. The third and fourth sessions followed a similar pattern.

After the fourth session, we conducted a post-test survey to understand user behaviour, including Likert scale ratings for password difficulty and the strategy behind password selection.

MacBook Pro 16_ - 2_edited.jpg

Results

006

Success Rate

Success in Recall 1 shows how easy it is to use a password method for the first time (first-time usability). Success rates in Recall 2, overall, reflect both first-time usability and how well participants remembered the password after four days (4-day memorability).
If we only look at Recall 2 success rates for participants who succeeded in Recall 1, we can specifically assess 4-day memorability, which is the main focus of our study.

Time Taken

  • A statistical analysis showed a significant difference in the time taken to set up the three password mechanisms (PIN, Passfaces, Celebrities).

  • Specifically, setting up Celebrities took significantly more time compared to PIN, potentially because users spent extra time choosing their favorite celebrities.

  • However, there was no significant difference in setup times between PIN and Passfaces, or between Passfaces and Celebrities.

  • In terms of Recall 1 (the first attempt to recall), there were no significant differences in the time taken among the three password conditions, although PIN was the quickest.

  • For Recall 2 (recall after four days), there was a statistically significant difference in the time taken for the three password mechanisms.

  • PIN was significantly faster to recall compared to Passfaces and Celebrities.

  • There was no significant difference in recall times between PIN and Celebrities.

Number of Attempts

It was observed that in the case of all three types of passwords, there was a success rate only till attempt 4. The participants who took more than 4 attempts couldn’t recall any of the passwords at all. This helps us justify the logic of the user getting 3-5 reattempts while entering a password. Friedman’s test was used to test if there is any significant difference in the number of attempts across password mechanisms. No significant difference emerged.

Choice of Passwords

  • For PINs, 50% of the passwords exhibited patterns.

  • For Passfaces, 33% of the passwords showed patterns.

  • For Celebrities, 21% of the passwords displayed patterns.

Post-test Survey

  • Many participants who chose PINs were influenced by the keyboard layout as it made recall easier. This preference, however, often led to the creation of pattern-based passwords.

  • Some participants mentioned they had opted for randomly generated PINs, although this was less common.

  • For Passfaces, users tried to identify faces based on distinct features. When facing difficulties, such as indecision, they resorted to location-based selections, resulting in pattern-based passwords.

  • In the case of Celebrities, there were fewer instances of location-based selections. Participants mostly chose celebrities they knew or could identify, based on personal preferences.

Conclusion

  • A comprehensive comparison was conducted among three password types: PIN-based passwords, Passfaces with unknown faces, and Celebrities (Passfaces with celebrity faces) in a lab-based within-subjects study.
     

  • Passfaces and Celebrities were designed with larger password spaces compared to PIN, thus improving their security.
     

  • While first-time usability was similar across all conditions, Celebrities and PIN exhibited significantly better memorability than traditional Passfaces.
     

  • Longer setup times for Celebrities were attributed to participants' careful password selection, but Celebrities demonstrated reduced susceptibility to pattern-based passwords compared to PIN or Passfaces.
     

  • The Celebrities mechanism offers usability and memorability comparable to numerical PIN, with the added benefits of a larger password space and localization potential.
     

  • Careful selection of celebrities and randomizing layouts could further enhance its security, requiring additional research for validation.
     

  • Despite some limitations, such as a relatively small sample size and geographic restrictions, the study provides valuable insights into improving password mechanisms for emergent users.

007

bottom of page